Cloud Native Computing Foundation / KCD Amsterdam 2023

Jurgen Allewijn and Dinant Paardenkooper tell how they have overcome the challenges in setting up Azure Kubernetes Service in such a way that it is secure, multi-tenant and compliant with the local government regulations. The goal is to empower the workload teams with the latest technology and the DevOps way of working. On the Cloud Journey, the teams concluded that it isn’t just enabling “AKS”. It also requires a lot of management and Kubernetes knowledge, which is currently not present by most of the teams. The decision was made to create a Shared-AKS (DTAP) offering for all the teams within the City of Amsterdam, which led to cost savings and central management. To achieve this goal, the choice of multi-tenancy was born. New challenges arose concerning the security and compliance. One of the biggest challenges was segmentation of applications, which is by default not in nature of Kubernetes.

eBPF is hard. There are more and more docs and blogs, but the learning curve seems to be really steep. Where could you possibly start to play around with this new technology? In this talk, I will briefly introduce the (e)BPF landscape, then show you one of the easiest way to get started with eBPF. We will explore existing tools, and see what it takes to drop them into a Kubernetes cluster, and learn how can you expose their output as Prometheus metrics with only a few keystrokes.

Deciding to move to on-premise Kubernetes in a cloud-native era is not one that is made overnight. For Picnic, it was driven by the launch of Picnic's automated groceries packing warehouse and the low-latency requirement for controlling the 10km+ conveyor belts and 100+ packing stations. Being a cloud-native company from the start, we set out for a cloud-native experience, on-prem. I'll take you through our on-prem journey, what we liked and what was challenging, and what enabled us transition back to the could in the end.

Containers are awesome. They are fast, agile, and shareable. But how do you create perimeters in the cloud? Can I trust every container's content? Is my container behaving as it should? When containers come and go so fast, how can I catch anomalies? We tackle these questions and enable you to prepare, detect and respond to security threats in containers and Kubernetes without any loss of container benefits.

Executive Director at Cloud Native Computing Foundation, Priyanka Sharma provides insights into KCDs, KubeCon Amsterdam, and events in general.

Since its experimental introduction in 2015, Ingress has been the preferred way to manage traffic into the cluster (north-south), with a lot of different API gateways and proxy vendors implementing controllers for it. But its popularity and the different controller implementations also showed the limitations of its API, as vendors started to introduce their own APIs to complement the Ingress one. In 2019, with the knowledge gained from Ingress, a group of developers from SIG Network gathered to carefully design a new API from scratch, with the goal of keeping the simplicity, but to make it richer and extensible. In this talk we will introduce the new Gateway API, its benefits and how it compares to Ingress. By the end of the talk you will be able to understand the difference between the two APIs and the path to migrate from one to the other.

In this session, we will present some of the best practices for deploying GitOps application workloads in multi-application use cases. Using Syncwave, Hooks and ArgoCD Image Updater, we will present the advanced deployment patterns in GitOps / ArgoCD and discuss the promotion strategy between clusters in dev, test, stage and prod environments. Furthermore, we will demonstrate how to deploy GitOps Applications to multiple Kubernetes clusters simultaneously, by the means of grouping applications in Application Sets, using various strategies such as GitOps generators.

Users at CERN, the largest particle physics laboratory in the world, have very diverse computing requirements. CERN's IT department provides two services for running their cloud-native workloads: Kubernetes (based on OpenStack Magnum) and OpenShift (based on OKD). This talk will outline why both services are offered, alongside their benefits and drawbacks. In addition, the deployment model of each service will be described: both services use many open-source CNCF projects (such as OpenPolicyAgent or ArgoCD) as well as custom-built projects for integrating with the rest of CERN's computing environment (which is not always cloud-native) : networking, DNS, storage and authentication. Finally, we will share lessons learned during years of operating these services at large scales with thousands of applications and users.

ING has been building its Container Hosting capabilities since 2018. In this talk we'll share the details of this "mission": - how we built it, - what does it look like - what use cases we support (and which ones we do not (yet ?) support) - how we secure this environment - how we dealt with year-on-year exponential growth - what mistakes we commonly detect with workloads hosted on our platform - custom code we build and are Open-Sourcing And of course a short "demo" to show this isn't just slideware.

Cheryl Hung speaks to crossing the chasm with multi arch.

Collaboration in open source projects is important for companies, and it requires leadership that takes a strategic approach to sustaining contributions over time. An open source strategy that aligns with your company’s overall goals allows you to maintain the long-term commitment needed to sustain your contributions while building trust and influence in the open source projects that are strategic for your organization. This strategy should include aligning the needs of the company with important open source projects. If the needs of the company and the community are not aligned, this can create unhealthy dynamics that damage your company’s reputation and brand in addition to decreasing job satisfaction for employees. This talk will focus on ways to create this alignment and help all of us be successful together. The talk contains three major sections: 1) Dynamics of collaboration in open source projects between individuals, companies, and communities. 2) How your open source strategy can help you participate in ways that will benefit your company, your employees, and the community. 3) Tips for sustaining long-term, strategic participation in open source projects.

Get ready to dive into the exciting world of Kubernetes adoption in the Enterprise! In this electrifying talk, you'll discover the journey of Rabobank as they adopt Kubernetes and other cutting-edge cloud native technologies. Witness the migration from on-premise systems to Argo Workflows, FluxCD, and EKS, allowing Rabobank to seamlessly deliver their back office COTS application from India straight to their customers. Join us as we showcase the setup of our infrastructure, the challenges we faced, and how we conquered them. Don't miss out on this opportunity to learn and be inspired!

Now that cloud providers are offering a managed Kubernetes service it sounds like setting up a new Kubernetes cluster and start deploying applications to, should be easy...but reality is more brutal than that. Even though Kubernetes Service can be offered as a partially managed offering it doesn't mean that cloud provider takes responsibility for everything. It's extremely important to be aware of what you will be responsible for in terms of operating, securing and maintaining managed Kubernetes clusters - and how these changes will affect the rest of your organization. In this session we'll take a look at what you should consider and include in the planning and designing phase (Day Zero) BEFORE going all-in with managed Kubernetes Service. By looking at some real-life examples we'll see what the consequences may be if some of the areas are not planned for or are down-prioritized.

Kubernetes promises to run containerised workloads efficiently and at scale. It also provides auto-scaling features where the workloads can scale to meet the demands of the traffic. None of this is available by default and work needs to be done to reach the Kubernetes promised land. This talk will focus on how to architect Kubernetes clusters for high traffic websites or workloads. Attendees will learn how to configure ingress controller to securely expose workloads to external traffic. A demo will be presented which will show how Prometheus can be used to collect metrics from workloads. These metrics will then be fed to Kubernetes Pod Autoscaler using KEDA (Kubernetes Event-driven Autoscaling) to automatically scale the pods to meet the demand.

Free and Open Source Software is eating the world, but is at the same time a victim of its own success. Large enterprises rely on libraries maintained by the proverbial individual in Nebraska. Individuals or organizations may restrict the use of their technology or EOL versions of their software, posing real challenges to organizations depending on that technology. How can we as organizations, and individuals contribute to the viability and sustainability of open source for the generations to come?

With the Cloud Native landscape rapidly expanding and Kubernetes being used in over 50% of organizations, we've never had more opportunities for innovation and disruption, nor has the expectation for success been so demanding. With executive demands for multi-cloud interoperability, implementing cutting edge technology, and visible cost reduction across all departments, how can we ensure continued innovation? How do we manage that at scale across diverse technology and cultures? We'll dive into the pillars required for adopting developer centric platforms across organizations at scale in order to facilitate developer velocity.

Service meshes are becoming the secure, observable networking layer for distributed computing systems like Kubernetes. However, they are also known for their operational complexity and steep learning curve. This talk will help clear up the mess around service mesh. We will start by introducing what a service mesh is intended to do before diving into hands-on demos using Cilium Service Mesh powered by eBPF. The audience will learn how to monitor service-to-service connectivity, collect tracing data and golden metrics using standard Prometheus, Grafana, and OpenTelemetry with eBPF. The talk will close by discussing how eBPF eliminates service mesh sidecars to improve performance and reduce latency, operational complexity, and resource usage. By the end, the audience will be able to understand and implement a service mesh rather than mess.

Nobody likes the idea of unscheduled downtime, downgraded performance, or high costs due to unforeseen traffic demands. However, the solutions to these challenges aren’t always straightforward. Typically, the first response would be to spread your application for high availability (HA). However, you have to consider how traffic will be balanced in such topologies. How will you manage cross-zone or cross-regional traffic costs? How can you optimize your load balancing with unequal demands in different zones and regions? If that’s not enough, you also have to think about the underlying computing resources. How do you scale your cluster automatically whilst catering to scheduling constraints, pod requirements, and compute costs all at once? In this talk, Lukonde Mwila will walk through these challenges and share how teams can overcome them using pod anti-affinity, Istio, and Karpenter.

As one of the first streaming companies, Spotify has always been at the pioneering frontier of inventing and adopting new technology. But in a changing world and growing as a company, the requirements of our stack require constant improvement and rethinking. In 2022 Spotify started migrating to a gRPC Proxyless Service Mesh architecture, which we reverted due to 'issues'. Currently, we are in the process of rebooting this effort. This talk will be about why the original in-house developed protocol named Hermes and service discovery technology called Nameless are not suitable for our current scale anymore and what we are working on to replace them. I will also address the benefits and risks of migration at such a scale.